Safer Value of HPKP and HSTS (And Why You Should Avoid)

Advertisement

It is unbelievable article title as we used to promote HPKP and HSTS since they are introduced. Majority of the websites used HPKP aka Public Key pinning unfortunately faced troubles, including us (which we published as guide), well known sites such as Smashing Magazine, Scott Helme’s website. Most of these websites has published their experience of such bad incidence to warn the others. HPKP protects against rare attack which are not much relevant for the content-driven websites. Here Are Possible Safer Value of HPKP and HSTS For Apache2 and Discussion on And Why You Should Avoid Them on Production Site.

Safer Value of HPKP and HSTS

Major problem is bugs in Chrome. When we enable HPKP, Chrome and Google’s all kind of browsers cache them. If you navigate to chrome://net-internals/#hsts and run query against our domain thecustomizewindows.com, then at present you’ll get these values :

You’ll get such values of sts_expiry with www.smashingmagazine.com too.

After our problem, our site thankfully made accessible by extensive help from a partner of GeoTrust by deletion of public key pin values. We our-self applied to remove us from HSTS list, which failed. You can see, after 2 weeks after the incidence, not all values yet flushed. In other words – without their help, we would remain in dark.

Why You Should Avoid HPKP and HSTS

Because their is no reason to advertise you will always use HTTPS. You can always mention CA from DNS record as CAA record.

Advertisement

---

Minor error in cached value of HPKP, HSTS either out of your technical issue or by CA (for HPKP) may make your site virtually banned by Google.

Of course, you can use very lower value to be in safe side. However, lower value needs to be regularly monitored as lower value may go very high out of trigger by some unknown bug, like ours :

Vim

1

2

dynamic_sts_observed:1534612314.279288

dynamic_sts_expiry:1621012314.279287

HSTS and HPKP unfortunately linked to browsers with current technology. With subdomains included in HSTS, with error in HPKP, you can not even redirect to your subdomain (like www version for us).

Recommended Safer Values HPKP and HSTS and How to Generate Them For Apache

Conclusion

We do not recommend to use HPKP, HSTS and probably also not OCSP Stapling for production sites. A domain may face less visitors out of odd unknown errors. Worst chance is getting unusable domain out of non-matching pin value. These are not what on our hand to quickly reset. OCSP Must-Staple is another great thing but OCSP Stapling, OCSP Must-Staple needs a good OCSP response which is in hand of CA – not you.